EPSS
Percentile
45.7%
braces is vulnerable to Regular expression Denial of Service (ReDoS). parser.js uses regular expression (^\\{(,+(?:(\\{,+\\})*),*|,*(?:(\\{,+\\})*),+)\\}) to detects empty braces, consuming 10 seconds matching time for data 50K characters long.
parser.js
(^\\{(,+(?:(\\{,+\\})*),*|,*(?:(\\{,+\\})*),+)\\})
bugzilla.redhat.com/show_bug.cgi?id=1547272
github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
github.com/micromatch/braces/commit/dcc1acab4de9a43e86ab4be4acde209ff1dca113#diff-caeaa74c4969f2d75a290b060d866bd2R122
www.npmjs.com/advisories/786